Where networking and knowledge intersect.
Christos K. Dimitriadis, Ph.D., CISA, CISM
As enterprises struggle to remain profitable in an ever-changing risk environment, the current economic crisis has elevated the need for effective business risk management. Information security, as explained in this article, acts as a key parameter that affects business risk. This is explored in this article in the context of the lottery sector.
The academic definition of information security is the “preservation of confidentiality, integrity and availability of information.”1 Confidentiality is the preservation of secrecy of information (e.g., business reports, technical designs or financial projections) by ensuring that viewing is conducted solely by authorized people. Integrity is ensuring that information is accurate and consistent and has not been manipulated. Availability ensures that information is accessible to authorized people when needed.
Historically, information security has been addressed primarily as a technical issue. Preventive controls—such as firewalls, user access control mechanisms, encryption of data and communications, digital signatures, data backup systems, and detective controls such as intrusion detection systems or security monitoring platforms—have formed the basic components of security architecture. Often, the technical controls were complemented by a set of security policies, procedures and guidelines aimed at controlling the actions of personnel.
This approach, though, has proven to be insufficient. Security incidents continue to rise and security problems seem unsolved while information security experts have been challenged to effectively communicate the value of information security to enterprise management.
The root cause of these problems may be the definition of information security itself. There is a lack of consistency as each sector, industry and even enterprise has had to define information security uniquely, based on very specific business needs. This lack of consistency has contributed to a lack of understanding and a lack of appreciation for the value of information security.
This article presents the definition of information security in the lottery sector and, specifically, in a case study of GIDANI, the National Lottery of South Africa.
To define information security in the lottery sector, one must understand its business objectives, identify stakeholders and link them to information protection attributes.
Lotteries sell games to the public. These games have to be trusted to achieve customer (player) acquisition and retention, which directly affect the lottery’s revenue. Player trust is a key success factor that is directly related to:
Providing lottery games to the public also has societal and political facets. Lotteries are usually controlled directly by the local government and are always subject to a regulatory and legal framework. The provision of secure and fair lottery games to citizens is a matter of social responsibility. Moreover, the government is a shareholder of the lottery (directly or indirectly though taxing); thus, a lottery’s business success affects the corresponding governmental revenue.
The aforementioned facts are clarified in relation to information security when the drivers of shareholders’ trust are studied in more detail. For example:
In relation to the business role of information security in the lottery sector, the following definition can be deduced: Information security is defined as a driver of:
Using this definition of information security for the lottery sector, a holistic approach is required for addressing the information security requirements of each unique lottery. This, in turn, requires a detailed lottery business analysis for embedding information security into the specific business processes of the lottery and for addressing the human factor and minimizing the uncertainty it introduces. International security standards provide the basis toward that direction.
In 2006, the Security and Risk Management Committee of the World Lottery Association (WLA)2 published the most recent version of its Security Control Standard (SCS). This standard describes a number of information security controls (technical and procedural) tailored to the lottery sector. Indicatively, it includes rules regarding the management of lottery draws and protection of prize money and Internet gaming systems. WLA SCS is an extension of the globally recognized information security standard ISO 27001 of the International Organization for Standardization (ISO),3 which is related to the establishment of information security management systems (ISMSs). Such systems provide the framework for managing information security from planning to implementation, monitoring and improvement.
ISACA has published a set of information technology (IT) auditing standards and the Risk IT: Based on COBIT® framework,4 which provides a set of guiding principles for effective management of IT risk. Risk IT complements COBIT®,5 a comprehensive framework developed by ISACA for the governance and control of business-driven, IT-based solutions and services. In 2009, ISACA published An Introduction to the Business Model for Information Security, the first publication released under the Business Model for Information Security™ (BMIS™),6 which addresses information security from a business perspective, and in 2010, the full model was published as The Business Model for Information Security.
Other standards include the Payment Card Industry Data Security Standard (PCI DSS),7 a set of requirements for enhancing payment account data security, and the Special Publications (800 series) of the US National Institute of Standards and Technology (NIST),8 which are documents of general interest to the computer security community.
The aforementioned standards provide an indicative view of the information security standards landscape. Other standardization bodies and associations provide their own guidelines in the field. In addition, technical security best practices of system vendors provide additional guidelines.
The modern lottery sector has to select the information security standards to use as a basis for its security architecture, and it must customize this selection according to its specific business needs.
Studying the information security standards horizontally, a number of basic processes/steps that lead to the identification of information security requirements are identified, including:
One of the most recent information security frameworks that addresses information security from a business point of view is ISACA’s BMIS, illustrated in figure 1.
The following definitions of the BMIS elements (derived from An Introduction to the Business Model for Information Security)9 are necessary for understanding how BMIS works:
To understand the operation of BMIS in practice, it is important to study the links connecting organization design and strategy, people, process, and technology. The following case study provides an example of the operation of the model in the lottery sector.
Following a Holistic ApproachAs an innovator in the lottery information security field, GIDANI has implemented a business model to understand and to more deeply address its information security needs and to make them an integral part of its business processes.
GIDANI has deployed a customized ISMS, following a combination of international security standards. The GIDANI ISMS includes all rules, procedures and information security management principles regarding security organization, asset management, human resources security, access control, physical security, communications security, operations security, compliance, incident management, business continuity management and system security, covering its whole development life cycle. Moreover, specific procedures have been applied regarding lottery game integrity and instant ticket security. The following paragraphs outline how the dynamic interconnections of BMIS (noted in bold) relate to the GIDANI ISMS.
Information security at GIDANI is an integral part of the business strategy of the lottery. Governing all information security activities is the responsibility of an executive committee chaired by the chief executive officer (CEO). Strategic plan execution, including a strategy definition as a result of business analysis (e.g., information security analysis in the life cycle of a new game development); resource management; and lottery operations are controlled by the executive committee that monitors security performance, value delivery and risk levels of all integrated information security controls. This structure provides a good practice for expressing management commitment and control, having information security as a top priority in the operation of the lottery.
Architecture is based on a lottery-specific threat model that serves the security requirements of all critical business processes as identified through governing. For example, there are technical controls in place for protecting game integrity, controlling access to lottery business reports, securely managing game configuration, establishing secure communication lines for game transactions (communication between the central system and terminals at the point of sale), isolating the computer room physically and ensuring game continuity by the implementation of a disaster recovery site.
Enabling and support represents how security processes are automated by the use of technology, and also which processes are used to complement automated security controls and to evaluate and improve them. GIDANI has automated all lottery-related processes by the deployment of the lottery system. Transaction engine (ticket processing) security configuration, support and operation are implemented by a number of written and continuously improved processes. Simultaneously, there is a security technology evaluation process in place that is used for calibrating and extending lottery system security for addressing business needs. For example, the business need for providing Internet gaming goes through a security assessment of the current technology. In this assessment, automation controls are identified (such as the player identity management mechanism) and complemented by manual procedures (e.g., review of player access rights) following official GIDANI rules. Since selling lottery games through the Internet has been identified as a key business enabler in governing, information security controls have become a priority.
Human factors affect both architecture and enabling and support. For example, if an operator at GIDANI is managing roles within the lottery ticket sales monitoring application, this operator may find the role management system too cumbersome and complex to use (human factors). This is reported as feedback to the security officer, who asks for the assessment of the whole process and technology (enabling and support) to identify opportunities for improvement. This assessment will take into account the whole architecture as well, identifying the impact on other components of the system. One improvement may relate to the extension of the security training program of GIDANI. Another may relate to the reconfiguration of the security control or its replacement.
Culture is an element of the GIDANI security model that has a tremendous positive effect in making information security work in practice. GIDANI is characterized by a clear set of hierarchy levels with the roles of each level having been defined accurately and supported by specific operational procedures. The management model, as defined by the governing dynamic interconnection, encourages free communication at all levels of personnel, and especially encourages feedback on the security operations. That means that GIDANI has “low power distance” in terms of free communication of information security matters from the bottom to the top of the hierarchy. For example, if employees identify difficulties in implementing a security process or using a security technology, they freely report it to the security officer to investigate the improvement of the process. At the same time, if employees identify a security incident (e.g., confidential gaming information left in a meeting room), they report it immediately as a security incident. This reporting is not translated as an offensive action between employees, but instead as a collective action, giving the opportunity to management to take preventive or corrective actions.
Emergence is one of the most important dynamic interconnections of the business model since it deals with the uncertainty factor in information security at GIDANI. Due to human nature, the execution by people of processes within a corporation cannot be characterized as deterministic. Despite the detailed procedures, people sometimes act in an ad hoc manner and make mistakes. Emergence can be defined as “the developments and patterns that arise in the course of process execution by people.”10 While no one can ensure the absence of security incidents, there are solutions through the study of emergence that limit the possibilities to a minimum level. For example, a strong security culture, as described previously, permits GIDANI to have on-time reporting of security incidents. After reporting, the root-cause analysis process, in which the actual reasons for the realization of the incident are identified and corrective actions are implemented, takes over.
For example, a security operator, due to increased stress, may assign incorrect access rights to a retailer manager (one who monitors the status of retailers). This will be reported to the security officer through the processing of alerts and logs (potential access to critical information) and by the role that monitors security records (for every change in user access rights a signed form is required). One could assume that this was an unpredictable event (stressed employee). The truth, however, may relate to an increased workload in defining access rights caused by a major change in the lottery system, which, in turn, makes the user access management procedure too difficult to implement and no longer effective. Through the study of emergence, within the framework of the model, GIDANI is in place to link architectural changes with human factors (usability of security controls), enabling and support (combination of technical and procedural controls), and governing (limited number of employees in relation to the workload), and to correct the user access management procedure on time.
Even then, people will continue to insert uncertainty in the security processes, and some security incidents will still be unavoidable. Through the operation of the model, however, the whole picture of information security will become clear, providing the opportunity to security experts to learn more accurately from mistakes and improve information security.
Information security will be understood, provide added value and effectively contribute to the operation of an organization only if it is designed and implemented as a core ingredient of the business strategy. Stakeholder, shareholder and player trust are the key ingredients of information security in the lottery sector, unveiling its societal, business and legal nature. Organizations from other sectors should identify such key ingredients similarly for providing a business definition to information security.
While technical security controls are important, what distinguishes a typical information security management system from an effective one is the ability to correlate all parameters in the operation of an organization, especially the human factor. While absolute information security is theoretically unachievable, lotteries and organizations alike have the ability to reduce uncertainty and to continuously improve their approaches to making information security a business enabler.
1 International Organization for Standardization, ISO/IEC 27001:2005, Information technology—Security techniques—Information security management systems— Requirements, 20052 World Lottery Association, www.world-lotteries.org3 International Organization for Standardization, www.iso.org4 ISACA, Risk IT: Based on COBIT, www.isaca.org/riskit5 ISACA, COBIT, www.isaca.org/cobit6 ISACA, Business Model for Information Security (BMIS), www.isaca.org/bmis7 PCI Security Standards Council, Payment Card Industry Data Security Standard (PCI DSS), www.pcisecuritystandards.org/security_standards/pci_dss.shtml8 National Institute of Standards and Technology (NIST), Computer Security Division, Computer Security Resource Center, Special Publications (800 Series), http://csrc.nist.gov/publications/PubsSPs.html9 Op cit, ISACA, BMIS10 Op cit, ISACA, BMIS
Christos K. Dimitriadis, Ph.D., CISA, CISMis head of information security at INTRALOT S.A., a multinational supplier of integrated gaming and transaction processing systems based in Greece. In this role, he manages information security in more than 50 countries in all continents. Dimitriadis is a vice president on ISACA’s Board of Directors. He has served ISACA as chair of the External Relations Committee and as a member of the Relations Board, Academic Relations Committee, Journal Editorial Committee and Business Model for Information Security (BMIS) Workgroup. He has worked in the area of information security for 10 years and has 65 publications in the field.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.